0

I use raw socket to create TCP packets, with focus on the sequence number and TCP flags(SYN, ACK)

I used one machine S to send a tcp ACK packet (flag ACK is set to 1) and another machine R to receive it these two machines are in different subnets, all in my school

meanwhile, I used tcpdump to capture the packets.

Strange things happens! On machine S, the captured packet is as expected, it is an ACK packet however, on the receiving machine R, the packet becomes a SYN packet, and the sequence number is changed, the seq no is 1 smaller the expected and the ack_seq become 0!

what is wrong with this? my guess is that the router/firewall modified the ACK packet to a SYN packet because it never sees a SYN SYN/ACK exchange ahead of the ACK? is it possible or not?

the two captured packets are:

https://docs.google.com/file/d/0B09y_TWqTtwlVnpuUlNwUmM1YUE/edit?usp=sharing https://docs.google.com/file/d/0B09y_TWqTtwlTXhjUms4ZnlkMVE/edit?usp=sharing

Improve this question
9
  • 1
    That is definitely weird, and it is unlikely that the firewall would attempt to set up the TCP session correctly, it should do the opposite and discard the packet as out-of-state. Can you upload the captures somewhere?
    – Paul
    Commented Mar 17, 2013 at 22:55
  • yes, I add them!
    – user138126
    Commented Mar 17, 2013 at 23:21
  • The captures are not publicly available from here. Could you make them publicly available?
    – kokx
    Commented Mar 17, 2013 at 23:25
  • I have made them public
    – user138126
    Commented Mar 18, 2013 at 0:01
  • Packet 2 is the interesting one right? It is issued as an ACK, but there is a SYN at the server end. But what are packets 1 and 3? It looks like tehre is already a session running with those ports?
    – Paul
    Commented Mar 18, 2013 at 3:10

1 Answer 1

Reset to default
0

My guess would be that you have the sequence numbers wrong on your ACK packet. So the firewall in between sees your ACK packet with the wrong sequence and decides that the SYN-ACK never made it to you, and so re-transmits the original SYN packet to the server to get it to resend the SYN-ACK, which it does.

If you look at your trace in Wireshark, it draws the same conclusion - it doesn't see your ACK as part of the original session, but a new session using the same ports.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .